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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  our  EDP  audit  of  controls  relating  to  the  state's  centralized  data  processing 
systems  operated  by  the  Department  of  Administration.  We  reviewed  the  department's 
application  controls  over  State  Payroll,  Statewide  Budgeting  and  Accounting  System 
(SBAS),  and  the  Warrant  Writer  system.  This  report  contains  recommendations  for 
improving  controls  related  to  the  SBAS  and  Warrant  Writer  systems.  Written  responses 
to  our  audit  recommendations  are  included  in  the  back  of  the  report. 

We  thank  the  Department  of  Administration  for  their  cooperation  and  assistance 
throughout  the  audit. 
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Scott  A.  Seacat 
Legislative  Auditor 
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Report  Summary 


Introduction 


This  EDP  Audit  reviewed  centralized  controls  over  the  state's 
mainframe  computer  and  the  State  Payroll,  the  Statewide  Budgeting 
and  Accounting  System  (SB AS),  and  the  Warrant  Writer  computer 
based  applications.  The  audit  included  a  general  control  review  of 
the  state's  mainframe  computer  and  application  reviews  of  State 
Payroll,  SBAS,  and  Warrant  Writer.  A  discussion  of  general  and 
application  controls  is  included  on  pages  1  and  2.  The  audit 
objectives  and  scope  are  discussed  on  pages  2  and  3  of  the  report. 


General  Controls 


The  Department  of  Administration's  Information  Processing  Facility 
(IPF)  is  located  in  die  Mitchell  Building  in  Helena.  Central  data 
processing  services  include:  mainframe  computer  processing; 
design,  development,  and  maintenance  support  of  data  processing 
applications;  and  disaster  recovery  facilities  for  critical  data  process- 
ing applications.  Processing  is  performed  on  an  IBM  computer 
operating  24  hours  a  day  except  during  scheduled  system 
maintenance. 


Chapter  II  discusses  the  review  of  general  controls.  General  controls 
are  developed  by  management  to  ensure  central  computer  operations 
function  as  intended  and  provide  effective  data  processing  service  to 
users.  Overall  general  controls  specific  to  mainframe  processing 
services  provided  controlled  application  processing  during  fiscal 
year  1995-96.  Chapter  II  also  discusses  disaster  recovery  tests 
performed  during  the  audit  period  and  ongoing  recovery  plans. 


Application  Controls 


The  Department  of  Administration  operates  the  SBAS,  State  Payroll, 
and  Warrant  Writer  systems.  These  systems  provide  centralized 
accounting,  payroll,  and  warrant  writing  functions  to  state  agencies 
and  units  of  the  Montana  University  System.  SBAS  is  an  accounting 
system  which  provides  financial  reporting  of  agency  transactions. 
State  Payroll  processes  payroll  for  state  agencies  and  units  of  the 
Montana  University  System.  Warrant  Writer  creates  state  warrants 
from  agency  submitted  transfer  warrant  claims  processed  through 
SBAS. 


Chapter  III  discusses  the  review  of  application  controls.  Overall 
application  controls  ensured  SBAS,  State  Payroll,  and  Warrant 
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Writer  transactions  were  completely  and  accurately  processed. 
Audit  issues  address  areas  where  the  department  could  improve 
internal  procedures  and  operations  to  ensure  continued  reliability 
over  SBAS  transaction  processing.  In  addition  to  providing  the 
status  of  a  prior  recommendation  for  Warrant  Writer,  Chapter  III 
also  includes  a  recommendation  concerning  uncollectible  debt  write- 
off reponing  procedures. 
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Chapter  I  -  Introduction 


This  is  our  annual  electronic  data  processing  (EDP)  audit  of  the 
state's  centralized  data  processing  systems.  The  audit  included 
centralized  controls  over  the  state's  mainframe  computer  and  three 
computer  based  applications:  State  Payroll,  Warrant  Writer,  and  the 
Statewide  Budgeting  and  Accounting  System  (SBAS). 


Organization  of  Report 


EDP  Audit  General  and 
Application  Controls 


The  audit  was  conducted  at  the  Depanment  of  Administration  which 
maintains  the  state's  mainframe.  State  Payroll,  SBAS  and  Warrant 
Writer.  The  controls  identified  and  tested  can  be  relied  upon  by 
financial-compliance,  performance,  and  EDP  auditors  for  the  fiscal 
year  1995-96  audit  period. 

The  report  contains  three  chapters.  Chapter  I  contains  the 
introduction,  background  information,  and  audit  objectives.  Chapter 
II  discusses  our  review  of  general  controls  applicable  to  the 
Department  of  Administration's  Information  Processing  Facility. 
Chapter  III  includes  our  application  review  of  the  department's 
SBAS,  State  Payroll,  and  Warrant  Writer  computer  applications. 

EDP  controls  provide  assurance  over  the  accuracy,  reliability,  and 
integrity  of  the  information  processed.  From  the  audit  work,  a 
determination  is  made  as  to  whether  controls  exist  and  are  operating 
as  designed.  A  general  control  review  includes  an  examination  of 
the  following  controls: 

Organizational  -  apply  to  the  structure  and  management  of  the 
computing  and  information  services  facility.   Specific  types  of 
organizational  controls  include  segregation  of  duties,  assignment  of 
responsibilities,  rotation  of  duties,  and  supervision. 

Procedural  -  operating  standards  and  procedures  which  ensure  the 
reliability  of  computer  processing  results  and  protect  against 
processing  errors. 

Hardware  and  Software  -  controls  within  the  operating  system 
software  and  hardware  which  monitor  and  repon  system  error 
conditions. 

System  Development  -  oversight  and  supervisory  controls  imposed 
on  development  projects.   Controls  include  feasibility  studies, 
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development,  testing  and  implementation,  documentation,  and 
maintenance. 

Physical  Security  -  physical  site  controls  including  security  over 
access  to  the  computer  facility,  protection  devices  such  as  smoke 
alarms  and  sprinkler  systems,  and  disaster  prevention  and  recovery 
plans. 

Electronic  Access  -  controls  which  allow  or  disallow  user  access  to 
electronically  stored  information  such  as  data  files  and  application 
programs. 

A  general  control  review  provides  information  regarding  the  ability 
to  control  EDP  applications.  Application  controls  are  specific  to  a 
given  application  or  set  of  programs  that  accomplish  a  specific 
objective.  Application  controls  consist  of  an  examination  of  the 
following  controls  and  objectives: 

Input  -  Ensure  all  data  is  properly  coded  to  machine  language,  all 
entered  data  is  approved,  and  all  approved  data  is  entered. 

Processing  -  Ensure  all  data  input  is  processed  as  intended. 

Output  -  All  processed  data  is  reponed  and  properly  distributed  to 
authorized  individuals. 

A  review  of  the  application  documentation  and  audit  trail  is  also 
performed.  Applications  must  operate  within  the  general  control 
environment  in  order  for  reliance  to  be  placed  on  them. 


Audit  Objectives  Th^  objectives  of  this  EDP  audit  were  to  determine  the  adequacy  of: 

1.  General  controls  specific  to  the  state  mainframe  computer. 

2.  Application  controls  over  data  processed  by  the  SBAS,  State 
Payroll,  and  Warrant  Writer  applications. 
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Audit  Scope  and  The  audit  was  conducted  in  accordance  with  government  audit 

Methodology  standards.   We  compared  existing  general  and  application  controls 

against  criteria  established  by  the  American  Institute  of  Certified 
Public  Accountants  (AICPA),  United  States  General  Accounting 
Office  (GAO),  and  the  EDP  industry. 

We  reviewed  the  Department  of  Administration's  general  controls 
related  to  the  state  mainframe  environment.  We  interviewed 
department  personnel  to  gain  an  understanding  of  the  hardware  and 
software  environment  at  the  Depanment  of  Administration.  We  also 
examined  documentation  to  supplement  and  confirm  information 
obtained  through  interviews.  , 

We  examined  procedures  within  the  mainframe  environment  which 
ensure  computer  processing  activities  are  controlled.  For  example, 
we  determined  if  mainframe  equipment  is  maintained  in  a  secured 
area  and  access  is  limited  to  authorized  personnel.  The  depanment 
provides  data  entry  and  processing  services  to  state  agencies.  We 
reviewed  depanment  procedures  which  ensure  data  processing  is 
completed  per  agency  authorization. 

We  conducted  application  reviews  over  State  Payroll,  Warrant 
Writer,  and  SBAS.  We  interviewed  employees  of  the  Depanment  of 
Administration  to  evaluate  policies  and  procedures.  We  reviewed 
input,  processing,  and  output  controls  for  these  systems.  We  also 
reviewed  supponing  documentation  to  determine  if  controls  over 
data  are  effective  as  well  as  adequate  to  ensure  the  accuracy  of  data 
during  processing  phases. 

Controls  over  centralized  operations  are  supplemented  by  controls 
established  at  user  agencies.  We  did  not  review  controls  established 
by  user  agencies. 
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Compliance 


We  determined  compliance  with  applicable  state  laws  and  rules  and 
Montana  Operations  Manual  policies.  Except  as  discussed  on  page 
12,  we  found  the  Department  of  Administration  to  be  in  compliance 
with  applicable  laws,  rules  and  state  policy. 


Prior  Audit 
Recommendations 


Our  prior  audit  report  for  fiscal  year  1994-95  included  four 
recommendations  still  applicable  to  the  Department  of 
Administration.  The  department  concurred  with  each 
recommendation.  The  department  implemented  three 
recommendations  and  did  not  implement  one  recommendation. 


The  one  recommendation  not  implemented  concerns  modification  to 
the  Warrant  Writer  System  to  provide  for  automatic  offsets  against 
direct  deposits.  This  issue  is  discussed  on  page  13  of  the  report. 
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The  depanment's  Information  Processing  Facility  (IPF)  is  located  in 
the  Mitchell  Building  in  Helena.   State  employees  process 
application  programs  and  data  stored  on  the  mainframe  through 
personal  computers  and  terminals  located  across  the  state.  This 
chapter  discusses  our  review  of  management's  operating  procedures 
and  controls  which  ensure  continuous,  reliable,  and  accurate 
mainframe  data  processing  services. 

The  depanment's  Information  Services  Division  (ISD)  provides  data 
processing  services  for  use  by  state  agencies.   Central  data 
processing  services  include:   mainframe  computer  processing; 
design,  development,  and  maintenance  support  of  data  processing 
applications;  and  disaster  recovery  facilities  for  critical  data  process- 
ing applications.   Processing  is  performed  on  an  IBM  computer 
operating  24  hours  a  day  except  during  scheduled  system 
maintenance. 


Conclusion:  General 
Controls  Provide  Controlled 
Application  Processing 


Physical  Security 


General  controls  are  developed  by  management  to  ensure  computer 
operations  function  as  intended  and  provide  effective  data  processing 
service  to  users.  Overall  general  controls  specific  to  mainframe 
processing  services  provided  controlled  application  processing 
during  fiscal  year  1995-96. 

Physical  security  controls  provide  security  against  accidental  loss  or 
destruction  of  data  and  program  files  or  equipment  and  ensure 
continuous  operation  of  application  processing  functions.   Physical 
security  controls  include:  safeguard  of  files,  programs  and 
documentation;  physical  access  over  the  computer  facility;  and  a 
plan  or  method  to  ensure  continuity  of  operations  following  major 
destruction  of  files  or  hardware  breakdown. 


We  reviewed  existing  physical  controls  in  place  at  the  Information 
Processing  Facility.  The  depanment  maintains  computer  hardware 
on  a  raised  floor.  Smoke  alarms  function  properly.  Air 
conditioning  maintains  controlled  computer  room  temperature.  The 
power  supply  meets  computing  equipment  needs. 
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The  department  continues  to  improve  its  ability  to  recover  the 
Information  Processing  Facility  following  a  disaster.  The  following 
section  discusses  the  department's  disaster  recovery  plan  and 
implementation  status  during  fiscal  year  1995-96. 


Disaster  Recovery 
Background 


The  department  received  funding  from  the  1991  Legislature  to 
design  and  implement  a  contingency  plan,  which  included  a  "hotsite" 
and  the  appropriate  backup  equipment.   In  February  1992,  ISD 
established  a  five  year  contract  for  a  backup  hotsite  with 
Weyerhaeuser  Information  Systems  in  Federal  Way,  Washington. 
The  hotsite  agreement  provides  ISD  an  alternative  location  and 
equipment  necessary  to  recover  mainframe  computer  operations. 
The  contract  also  provides  for  annual  on-site  recovery  testing  of  the 
central  mainframe  operating  system  and  agency-owned  applications. 


During  fiscal  year  1994-95  ISD  drafted  a  recovery  plan  which 
defines  ISD  personnel  responsibilities,  hardware  and  software 
requirements,  and  mainframe  operating  system  recovery  procedures. 
In  May  1996,  ISD  conducted  an  annual  recovery  test.  This  was  the 
fourth  disaster  recovery  drill  conducted  since  1992.  Agency 
applications  included  in  the  test  were  SBAS,  State  Payroll, 
SEARCHS,  Title  and  Registration,  and  Driver  Control  systems.  ISD 
also  recovered  the  mainfirame  operating  system  software, 
telecommunications  system  software,  and  Department  of 
Correction's  applications  operating  on  a  minicomputer  platform. 
This  allowed  the  application  users  to  perform  processing  tests  at  the 
hotsite  fi-om  computer  terminals  in  Helena. 


Ongoing  Recovery  Plans 


ISD  continues  to  work  with  interested  state  agencies  to  test  recovery 
of  agency-owned  applications  and  verify  recovery  procedures  are 
reliable.  Although  ISD  can  recover  agency  applications  and  provide 
mainframe  connection  capabilities  for  agency-owned  terminals,  ISD 
cannot  define  agency  application  recovery  priorities  or  personnel 
responsibilities.  After  completing  the  plan,  ISD  will  provide 
guidance  to  state  agencies  for  documenting  agency  application 
recovery  procedures  within  the  plan. 


Page  6 


Disaster  recovery  planning  requires  ongoing  preparation.  By 
establishing  documented  procedures,  ISD  significantly  improves  its 
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ability  to  recover  mainframe  computing  operations  following  a 
disaster.   We  will  continue  to  review  the  status  of  ISO's  disaster 
recovery  plan.  We  also  continue  to  review  individual  state  agency 
disaster  recovery  procedures  during  financial-compliance, 
performance,  and  EDP  audits. 
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The  Department  of  Administration  operates  the  Statewide  Budgeting 
and  Accounting  System  (SBAS),  State  Payroll,  and  Warrant  Writer 
systems.  These  systems  provide  centralized  accounting,  payroll,  and 
warrant  writing  functions  for  state  agencies  and  units  of  the  Montana 
University  System.   We  reviewed  application  controls  over  these 
systems  to  ensure  the  systems  processed  information  as  intended 
during  fiscal  year  1995-96. 


Statewide  Budgeting  and 
Accounting  System 


The  Department  of  Administration's  Accounting  Bureau  operates  the 
Statewide  Budgeting  and  Accounting  System.   SBAS  is  an 
accounting  system  which  provides  budgetary  control  data  used  for 
agency  management  decisions'  SBAS  also  provides  uniform 
accounting  and  reporting  for  all  state  agencies  by  showing  receipt, 
use,  and  disposition  of  public  money  and  property  in  accordance 
with  generally  accepted  accounting  principles  (GAAP). 


SBAS  is  a  combination  of  on-line  entry  and  batch  update.  State 
agencies  input  SBAS  transactions  using  On-line  Entry  &  Edit 
(OE&E)  or  submit  transactions  to  the  OE&E  database  by  remote 
entry.  The  transactions  are  held  in  a  processing  queue  until 
Accounting  Bureau  runs  a  nightly  job  which  gathers  the  data.  SBAS 
edits  check  the  data  to  ensure  validity.  If  a  transaction  does  not  pass 
an  edit,  it  will  reject  from  processing  and  may  require  correction. 
Transactions  which  pass  all  edits  are  processed  and  posted  to  the 
SBAS  database. 


Conclusion:  SBAS 
Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1995-96 


We  reviewed  input,  processing,  and  output  controls  over  SBAS 
during  fiscal  year  1995-96.  Overall  application  controls  ensured 
SBAS  transactions  were  completely  and  accurately  processed.  The 
following  sections  discuss  areas  where  Accounting  Bureau  could 
improve  internal  procedures  and  operations  to  ensure  continued 
reliability  over  SBAS  transaction  processing. 
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Remove  Access  to  SBAS 
When  no  Longer  Needed 


The  Department  of  Administration's  Application  Services  Bureau 
(ASB)  provides  programming  support  to  Accounting  Bureau  for  the 
SBAS  application.   ASB  programmers  perform  system  maintenance 
or  enhancements  over  SBAS  upon  Accounting  Bureau  request. 
Accounting  Bureau  authorizes  programmer  access  to  SBAS  programs 
through  Access  Control  Facility  (ACF-2)  software  rules.   Industry 
standards  suggest  management  remove  user  access  to  production 
programs  and  data  when  no  longer  needed.  ACF-2  rules  over  SBAS 
provide  unnecessary  access  to  a  former  ASB  programmer  who 
changed  position  duties  one  year  prior  to  our  review.  The  access 
could  allow  unauthorized  changes  to  SBAS  production,  test,  or  job 
submission  programs.  For  example,  programs  could  be  modified  to 
cause  improper  transaction  posting  or  unreliable  management 
reports. 


Existing  procedures  do  not  provide  for  automatic  notification  to 
Accounting  Bureau  when  ASB  programmers  change  job  duties  or 
terminate  employment.  Accounting  Bureau  could  periodically 
review  electronic  access  rules  to  identify  uimecessary  user  access  or 
establish  an  agreement  with  ASB  for  prompt  notification  upon 
changes  to  programmer  support  services  and  responsibilities. 

Recommendation  ffl 

We  recommend  the  department  remove  user  access  to  SBAS 
when  no  longer  needed. 


Document  Daily 
Procedures  Over  SBAS 
Operations 


The  Accounting  Bureau  maintains  system  documentation  in  hard 
copy  and  electronic  form,  and  stores  copies  at  an  offsite  location. 
We  found  the  Accounting  Bureau  should  also  document  daily 
processing  procedures  as  performed  by  various  employees 
responsible  for  SBAS  operations. 
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Industry  guidelines  suggest  management  document  employee 
procedures  applicable  to  computer  system  operations. 
Documentation  should  include  daily  SBAS  job  submission 
procedures,  update  exception  report  processing,  and  online  entry 
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procedures  over  user  control  standards  and  the  Information  Core  & 
Control  forms.   For  example,  employees  submit  a  job  each  day  to 
process  agency  accounting  transactions.  They  also  review 
transactions  which  fail  to  process  and  implement  agency  user 
requests  for  access  to  OE&E. 

Documented  procedures  can  ensure  continuous  daily  operations  by 
providing  employee  guidelines,  instruction  for  backup  personnel, 
and  training  for  new  employees.  The  department  could  include  the 
employee  procedures  with  existing  user  documentation. 

Recommendation  #2 

We  recommend  the  department  document  employee  job 
procedures  applicable  to  daily  SBAS  operations. 


State  Payroll  System  The  State  Payroll  System  processes  payroll  for  state  agencies  and 

selected  units  of  the  Montana  University  System.  The  system  also 
includes  personnel  and  position  control  components.  These 
components  provide  information  about  employees  or  management 
information  necessary  for  budgeting  purposes,  respectively. 

The  payroll  component  of  the  State  Payroll  System  issues  and  tracks 
state  of  Montana  employees'  wage  and  benefit  payments.  Similar  to 
SBAS,  processing  is  completed  through  a  combination  of  on-line 
entry  and  batch  update.  State  agencies  and  university  units  input 
employee  time  information  using  On-line  Pre-payroU,  an  interface  to 
the  State  Payroll  System.  The  State  Payroll  System  retrieves  and 
checks  the  data  against  edits  to  ensure  validity.  Payroll  data  which 
fails  edits  tests  is  corrected  prior  to  further  processing.  Once  all 
payroll  data  is  corrected.  State  Payroll  personnel  submit  a  job  which 
calculates  gross  pay,  deductions,  net  pay,  and  leave  and  service 
adjustments.  In  addition,  the  system  automatically  bills  state 
agencies  for  their  payroll  costs,  updates  SBAS,  and  prepares  payroll 
reports. 
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Conclusion:  State  Payroll 
Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1995-96 


The  audit  was  limited  to  payroll  transactions  processed  through  the 
Slate  Payroll  System.  Overall  application  controls  ensured  payroll 
transactions  processed  accurately  and  completely  during  fiscal  year 
1995-96. 


Warrant  Writer  System 


The  Warrant  Writer  system  controls  creation  and  distribution  of 
most  state  warrants  and  the  redemption  of  all  state  warrants.  The 
system  creates  state  warrants  from  agency  submitted  transfer  warrant 
claims  processed  through  SBAS.   After  daily  SBAS  processing  is 
completed.  Warrant  Writer  retrieves  SBAS  transactions  which 
require  warrants  to  be  written.  The  system  accounts  for  state 
warrants  issued,  outstanding,  and  redeemed. 


Conclusion:   Warrant 
Writer  Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1995-96 


Overall  application  controls  ensured  Warrant  Writer  transactions 
were  completely  and  accurately  processed.  The  following  sections 
discuss  state  compliance  concerns  and  provide  an  update  to  a  prior 
audit  recommendation. 


Change  State  Law  for 
Reporting  Debt  Write-Offs 
to  the  Budget  Director 


The  department's  Debt  Collection  Unit  (DCU)  provides  collection 
services  to  state  agencies  upon  request.  The  DCU  attempts  to  collect 
bad  debts  by  offsetting  state  warrants,  such  as  income  tax  refunds, 
for  a  period  of  three  years.  Each  month,  employees  write-off  bad 
debts  they  determine  are  uncollectible.  During  fiscal  year  1995-96, 
the  DCU  wrote  off  uncollectible  debt  totaling  $1,600,138  and 
recovered  $2,298,983. 


Section  17-4-107(2)  requires  the  department  to  report  write-off  or 
cancellation  of  accounts  receivable  to  the  Office  of  Budget  and 
Program  Planning  (OBPP)  budget  director.  The  department  no 
longer  reports  this  information  to  the  budget  director. 

In  1992  the  OBPP  requested  the  Warrant  Writer  section  (then  under 
the  State  Auditor's  Office)  no  longer  repon  the  write-off  activity, 
since  the  information  is  available  upon  request.  Department 
employees  believe  the  OBPP  no  longer  uses  the  information. 
However,  current  law  requires  the  information  be  furnished  to  the 
budget  director. 
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Recommendation  #3 

We  recommend  the  department  seek  legislation  to  remove  or 
revise  the  requirement  for  reporting  write-off  or  cancellation  of 
accounts  receivable  to  the  budget  director. 


Prior  Audit 
Recommendation 


Automate  the  Offset 
Process  for  Direct  Deposits 


In  the  previous  audit,  we  recommended  the  Department  of 
Administration  modify  the  Warrant  Writer  System  to  provide  for 
automatic  offsets  against  direct  deposits.  The  following  section 
summarizes  the  issue  and  the  status  of  the  prior  recommendation. 

The  Bad  Debts  component  of  the  Warrant  Writer  System  withholds 
warrants  written  to  the  payee  if  that  payee  owes  money  to  the  state  of 
Montana.   During  warrant  processing,  an  electronic  file  of  debtors  is 
compared  against  warrant  payees.  If  a  match  is  identified, 
department  personnel  adjust  or  "offset"  the  warrant  for  the  amount 
owed  to  the  state  of  Montana.  However,  the  Bad  Debts  component 
is  unable  to  automatically  offset  state  of  Montana  payments  made  by 
direct  deposit. 

Section  17-4-105(2),  MCA,  requires  the  Department  of  Administra- 
tion to  offset  any  amount  due  from  the  payee  to  the  state  of 
Montana.  Although  state  law  does  not  specifically  address  direct 
deposits  the  department  could  modify  system  programming  to 
provide  for  a  direct  deposit  offset. 

Department  employees  manually  offset  approximately  300  direct 
deposit  payments  each  month.  This  procedure  requires  employees 
adjust  daily  direct  deposits  and  issue  state  warrants  for  any  balance 
remaining  following  offset.  They  expect  this  figure  to  increase  due 
to  a  growing  trend  toward  payment  by  direct  deposit.  For  example, 
state  income  tax  refunds  are  available  by  direct  deposit.   In  addition, 
state  agencies  currently  pay  fifty-six  cents  per  mailed  warrant  or 
sixteen  cents  for  each  direct  deposit.  This  savings  will  encourage 
state  agencies  to  pay  their  vendors  by  direct  deposit.  The  cost  to 
automate  the  direct  deposit  offset  process  can  be  recovered  by 
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enabling  employees  to  more  effectively  process  bad  debt 
adjustments. 

Although  the  department  has  not  implemented  our  prior 
recommendation  to  automate  offsets  against  direct  deposits,  it 
continues  to  seek  a  programming  solution.   We  will  continue  to 
monitor  the  department's  progress  during  future  audits.  Therefore, 
we  make  no  recommendation  at  this  time. 


Page  14 


Agency  Response 


Page  15 


Page  16 


DEPARTMENT  OF  ADMINISTRATION 
DIRECTOR'S  OFFICE 

MARC  RACICOT,  GOVERNOR  MITCHELL  BUILDING 


STATE  OF  MONTANA' 


(406)  444-2032  PO  BOX  200101 

FAX  444-2812  HELENA,  MONTANA  59620-0101 


October?,  1996 

Scott  A.  Seacat  OCT     1  '?^- 

Legislative  Audit  Division 
State  Capitol 
Helena,  MT    59620 

Dear  Scott: 

We  have  reviev\/ed  the  recommendations  in  the  Information  Processing  Facility  and  Central 
Applications  EDP  Audit  dated  October  1996.  Our  responses  follov\/: 

Recommendation  #1 :  We  recommend  the  department  remove  user  access  to  SBAS 
when  no  longer  needed. 

Response:  We  concur.  This  is  our  current  policy.  At  times  we  have  different 
programmers  working  on  various  SBAS  projects  who  are  given  access  to  SBAS  files  for 
the  duration  of  the  project.  All  Application  Services  Bureau  (ASB)  programmers  are  logged 
and  the  log  reports  reviewed  daily.  Any  unanticipated  logging  is  noted  and  discussed  with 
ASB.  We  will  review  the  rules  more  frequently,  especially  after  special  projects  are 
completed. 

Recommendation  #2:  We  recommend  the  department  document  employee  job 
procedures  applicable  to  daily  SBAS  operations. 

Response:  We  concur.  We  have  written  procedures  for  the  two  positions  primarily 
involved  in  the  daily  operation  of  SBAS.  However,  the  procedures  have  not  been  updated 
for  new  processes  implemented  in  the  current  year.  Final  procedures  generally  are  not 
written  until  the  process  is  implemented  and  in  place  for  a  period  of  time.  The  employee 
job  procedures  will  be  updated  within  the  next  two  months. 

Recommendation  #3:  We  recommend  the  department  seek  legislation  to  remove  or 
revise  the  requirement  for  reporting  write-off  or  cancellation  of  accounts  receivable 
to  the  budget  director. 

Response:  We  concur.  We  will  incorporate  the  change  in  other  debt  collection  legislation 
being  proposed  by  the  department  in  the  next  legislative  session. 
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Scott  Seacat 
October?,  1996 
Page  2 

As  indicated  in  the  audit  report,  we  continue  to  pursue  the  programming  changes  needed 
to  automate  offsets  against  direct  deposit  payments.  Currently,  this  is  a  manual  process. 
We  will  incorporate  the  necessary  programming  changes  in  ongoing  system  planning  and 
updating. 

We  appreciate  the  opportunity  to  work  with  your  staff  on  these  issues. 

Sincerely, 


LOIS  MENZIES 
Director 
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